Brazil: Millions of Records Leaked, Including Biometric Data

The security research team at SafetyDetectives has discovered a significant data leak in addition to other security flaws (such as lack of password protection) relating to fingerprint data on an Antheus log server in Brazil.

Our team, led by Anurag Sen, discovered almost 2.3 million data points in total and estimates that 76,000 unique fingerprints were found on the database.

Approximately 16 gigabytes of data were found on the Elasticsearch server including highly sensitive information related to identification and biometric details.

The Antheus server investigated by our security team is an identity server, which means it gives users access to the system or the ability to register as a new user. It also has fingerprint information in at least two “indices” from a total of 91 found by our research team.

Who is Antheus Tecnologia?

Founded in April 1996, Antheus Tecnologia develops and distributes Automated Fingerprint Identification Systems (AFIS), automated fingerprinting and other systems such as iris recognition devices.

Antheus Tecnologia claims it is the first Brazilian company to be certified by the US Federal Bureau of Investigation (FBI) and develops biometric solutions for domestic and overseas clients.

Number of Records Leaked: Over 81.5 million records including employee company emails, telephone numbers and 76,000 unique fingerprints

Size: 16 gigabytes

Location: Brazil

In addition to fingerprint information, there were also instances of biometric data vulnerabilities, such as face recognition data being accessible and retrievable from the database.

In parallel to the biometric data breach, Antheus Tecnologia also has another related vulnerability which we noticed during our investigation. The company provides services to a national Civil Identification System in Brazil used to issue driving licenses although the access portal used for onboarding new users is not secure given the lack of password protection.

Furthermore, as well as user data, administrator login information, several employee email addresses and phone numbers were also found.

Further server information

The Antheus identity server enables users to login into its system or to register new users.

The practice of allowing access to server data in such a way is rather unusual. This methodology leaves the server exposed, but this could have been done purposefully. If so, it’s a rather strange option to take when it comes to ensuring security.

Our security team found two indices, potentially referring to two different companies using the Antheus server to store personal information including fingerprint data. Moreover, our investigation found data logs relating to precise fingerprint scans that can be reconstructed from the index numbers stored on the Antheus server.

According to our research, it may be possible to recreate (or reverse-engineer) a biometric image map for a particular fingerprint from strings of data found on the server.

From what we discovered, nefarious users can access the Antheus server and after extracting the available data, could use the data stream of ones and zeros to recreate the full biometric image of someone’s fingerprint.

Data Breach Impact

Facial recognition, retina scans, fingerprint information and biometric data are permanent and cannot be changed. Once they are stolen, the perpetrator has a record of someone’s biometric information which enables them to commit repeated criminal offences in future including ID fraud.

Lax security measures for biometric information presents a persistent security risk because even if the data cannot be used today, it can be stored and used at a later date given that its value does not diminish over time.

The unsecured method in which Antheus Tecnologia stores information is rather alarming considering its importance. It’s even more alarming that Antheus Tecnologia was built and deployed by a security company.

Instead of saving a hash of the fingerprint (that cannot be reverse-engineered), Antheus is saving people’s actual fingerprints through rudimentary encoding which can then be replicated for malicious purposes.

Potential Ramifications

By collating all the personal data found in the leak, criminals could use this information for various illegal and dangerous activities including:

Gaining access to restricted or classified information

Committing a range of financial crimes

Phishing attacks

Blackmail, extortion and ransomware

Crimes committed under the guise of someone else

The growing importance of fingerprint data

Data breaches relating to fingerprint data is particularly concerning because of the inherent inability for users to refresh their security information.

Given current consumer and professional trends, fingerprints are replacing typed passwords in many consumer goods such as phones and laptops.

Most fingerprint scanners on consumer goods are encrypted, so when a hacker develops technology to replicate your fingerprint, they could gain access to all the private information such as messages, photos and payment methods stored on your device.

Preventing Data Exposure

How can you prevent your personal information from being exposed in a data leak and ensure that you’re not a victim of attacks – cyber or real-world – if it is leaked?

Be cautious of what information you give out and to whom

Check that the website you’re on is secure (look for https and/or a closed lock)

Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)